Calvin Cohen – Global Policy Watchhttps://www.globalpolicywatch.com
Key Public Policy Developments Around the WorldWed, 11 Jul 2018 13:49:56 +0000en-US
hourly
1 https://wordpress.org/?v=5.3.3&lxb_maple_bar_source=lxb_maple_bar_sourceGAO Testimony Before Congress Regarding Emerging Opportunities, Challenges, and Implications for Policy and Research with Artificial Intelligencehttps://www.globalpolicywatch.com/2018/07/gao-testimony-before-congress-regarding-emerging-opportunities-challenges-and-implications-for-policy-and-research-with-artificial-intelligence/
Wed, 11 Jul 2018 13:49:56 +0000https://www.globalpolicywatch.com/?p=8752Continue Reading]]>Timothy M. Persons, GAO Chief Scientist Applied Research and Methods, recently provided testimony on artificial intelligence (“AI”) before the House of Representatives’ Subcommittees on Research and Technology and Energy, Committee on Science, Space, and Technology. Specifically, his testimony summarized a prior GAO technological assessment on AI from March 2018. Persons’ statement addressed three areas: (1) AI has evolved over time; (2) the opportunities and future promise of AI, as well as its principal challenges and risks; and (3) the policy implications and research priorities resulting from advances in AI. This statement by a GAO official is instructive for how the government is thinking about the future of AI, and how government contractors can, too.

The Evolution and Characteristics of AI

Persons stated that AI can be defined as either “narrow,” meaning “applications that provide domain-specific expertise or task completion,” or “general,” meaning an “application that exhibits intelligence comparable to a human, or beyond.” Although AI has evolved since the 1950s, Persons cited today’s “increased data availability, storage, and processing power” as explanations for why AI occupies such a central role in today’s discourse. And while we see many instances of narrow AI, general AI is still in its formative stages.

Persons described “three waves” of AI. The first wave is characterized by “expert knowledge or criteria developed in law or other authoritative sources and encoded into a computer algorithm,” such as tax preparation services. The second wave is characterized by machine learning and perception, and includes many technologies recognizable today such as voice-activated digital assistants and self-driving cars. The third wave is characterized by “the strengths of first- and second-wave AI . . . capable of contextual sophistication, abstraction, and explanation”; an example cited in his testimony was a ship navigating the seas without human intervention. This third wave is just in its beginning stages.

Benefits of Artificial Intelligence and Challenges to Its Development

In his testimony, Persons summarized a number of benefits from the increased prevalence of AI, including “improved economic outcomes and increased levels of productivity” for workers and companies, “improved or augmented human decision making” through AI’s faster processing of greater quantities of data, and even providing “insights into complex and pressing problems.” However, a number of challenges to further developing AI technology, such as the “barriers to collecting and sharing data” that researchers and manufacturers face, the “lack of access to adequate computing resources and requisite human capital” for AI researchers, the inadequacy of current laws and regulations to address AI, and the need for an “ethical framework for and explainability and acceptance of AI.”

In its report, GAO identified “four high-consequence sectors” for the further development of AI: cybersecurity, automated vehicles, criminal justice, and financial services. In each of these sectors, AI may be used as a valuable tool that could enhance that specific industry’s capabilities, but AI also presents concerns in that given industry, such as to safety, fairness, and civil rights, among other areas.

Policy Considerations to AI and Areas Requiring More Research

Relying on the GAO report and the views of subject-matter experts, Persons’ testimony highlights a number of policy considerations and areas that require more research to improve AI. One area is how to “incentiviz[e] data sharing.” Persons highlighted that private actors need to better share data while still finding ways to safeguard intellectual property and proprietary information. Similarly, federal agencies can share data that would otherwise not be accessible to researchers. Another area was “improving safety and security,” as the costs from cybersecurity breaches are not necessarily borne equally between manufacturers and users.

One of the more significant policy considerations that will accompany increased usage of AI is “updating the regulatory approach.” As an example, “the manufacturer of the automated vehicle bears all responsibility for crashes” under the regulatory structure as currently formulated. Persons noted that regulators may need “to be proactive” in areas like this to “improve overall public safety.” Relatedly, laws may have to adapt or evolve to allocate liability more appropriately, as “humans may not always be behind decisions that are made by automated systems.” Without appropriate regulatory guidance, who bears responsibility for problems caused by AI remains unclear. There is also a possibility for “establishing regulatory sandboxes,” which would enable regulators “to begin experimenting on a small scale and empirically test[] new ideas.”

Finally, Persons highlighted the importance of understanding “AI’s effects on employment and reimagining training and education.” The data on this subject is currently incomplete, but Persons stated that it is believed job losses and gains will be sector specific. With the increased prevalence of AI will also come the need to “reevaluate and reimagine training and education” to offset any possible job losses.

]]>South Dakota Breach Notification Law Breaks New Groundhttps://www.globalpolicywatch.com/2018/04/south-dakota-breach-notification-law-breaks-new-ground/
Wed, 04 Apr 2018 18:06:44 +0000https://www.globalpolicywatch.com/?p=8500Continue Reading]]>Last week, South Dakota became the 49th U.S. state to enact a data breach notification law with the passage of S.B. 62, which sets forth requirements for notifying state residents, the state attorney general, and major consumer reporting agencies in the event of a breach. The law, which will take effect on July 1, 2018, parallels many recently passed or amended state data breach notification laws through its inclusion of an expansive definition of “personally identifiable information” and an explicit deadline for notifying affected residents. However, a few elements of the law push further than comparable laws from other states and have the potential to shift companies’ data breach notification practices.

Under the new law, any person or business conducting business in South Dakota that owns or licenses computerized “personal or protected information” of South Dakota residents must provide notice of the breach unless certain exceptions apply. A “breach” occurs when personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. Notably, the law defines an “unauthorized person” to include not only individuals who are not authorized to acquire or disclose personal information, but also individuals who are authorized to do so but have acquired or disclosed personal information “outside the guidelines for access o[r] disclosure established by the information holder.” This specific addition to the law could impact decision-making processes for businesses who encounter potential data security incidents that parallel the characteristics set forth in the statute.

The law defines a breach to include the disclosure of personal or protected information that is unencrypted, or encrypted if the encryption key is also acquired. By implication, a breach of encrypted information without an associated compromise of the encryption key will not be covered within this definition. In order to qualify as encrypted, however, data must be rendered “unusable, unreadable, or indecipherable” either “without the use of a decryption process or key” or in accordance with the Federal Information Processing Standard 140-2 in effect on Jan. 1, 2018. Although it is not free from doubt, this provision indicates that compliance with FIPS may not be strictly required but may instead represent a more explicitly defined safe harbor that companies can implement to take advantage of this exception from disclosure requirements.

The concept of “personal or protected information” expands the scope of the information this law covers beyond other comparable state data breach notification laws. The definition of “personal information” parallels other state data breach notification laws by covering an individual’s name in conjunction with a Social Security number, driver’s license number (or other government-issued identification number), or an account, credit card, or debit card number in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account. However, the definition also covers a name in conjunction with “health information” (as defined under the Health Insurance Portability and Accountability Act) or an employer-assigned identification number in combination with any required security code, access code, password, or biometric data used for authentication purposes.

“Protected information,” on the other hand, does not need to be disclosed in connection with an individual’s name. South Dakota’s new law joins several other states that have recently begun to require disclosure of breaches of a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account. However, South Dakota’s new law also goes farther than other state laws in defining “protected information” to include an account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account, even in the absence of an individual’s name. Although most state data breach notice laws only cover such information if disclosed in connection with an individual’s name, South Dakota’s law will require disclosure of a breach of this information regardless of whether individuals’ names are involved.

South Dakota also joins a recent trend among other state data breach notification laws in setting explicit deadlines for providing notification to affected individuals, the state attorney general and major consumer reporting agencies. Under the law, an information holder must notify affected individuals of the breach by mail, email or substitute notification measures within 60 days after the discovery or notification of the breach. The law also requires an information holder to disclose the breach to the state attorney general if the breach involves more than 250 South Dakota residents. If an information holder “reasonably determines,” after an “appropriate investigation,” that the breach will not likely result in harm to affected individuals, notification to the individuals is not required, but the information holder must notify the attorney general and maintain documentation of this determination in writing for three years. The notification can also be delayed if a law enforcement agency determines that it will impede a criminal investigation, but must be provided within 30 days after the agency determines that it will not compromise the investigation.

If an information holder must notify individuals of a breach, the law states that the information holder must also notify “all consumer reporting agencies,” as defined under the Fair Credit Reporting Act, and “any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis.” This expansive requirement differs significantly from other state data breach notification laws, which often only require notification of the three major consumer reporting agencies if a breach impacts more than a specific number of state residents (usually 1,000). No explicit time frame is required for either of these types of notifications.

The new law also includes “safe harbor” provisions for HIPAA- or Gramm-Leach-Bliley Act-regulated entities that notify affected South Dakota residents in compliance with applicable federal laws or regulations. For entities that fail to disclose a breach under the new law, however, such a failure could prove costly. Under the law, the state attorney general can prosecute “each failure to disclose” as a deceptive act or practice under state law and, in addition to any remedy provided for such acts or practices by state law, may recover a civil penalty of up to $10,000 per day per violation, in addition to attorneys’ fees and costs.

South Dakota’s new law may represent the next step in the evolving landscape of compliance with varying provisions of state data breach notification laws, and several unusual provisions could complicate decision-making for businesses required to notify South Dakota residents.